Messages

Switched back to Openssl and it's now working.

Thank you,
Regards,
Bobby Thomas.

/var/logs/radius.log shows the below message.

Thu Aug  3 01:02:35 2017 : Info: Debugger not attached
Thu Aug  3 01:02:35 2017 : Error: Refusing to start with libssl version LibreSSL 2.4.5 0x1000107f (1.0.1g release) (in range 1.0.1 release - 1.0.1t rele)
Thu Aug  3 01:02:35 2017 : Error: Security advisory CVE-2016-6304 (OCSP status request extension)
Thu Aug  3 01:02:35 2017 : Error: For more information see https://www.openssl.org/news/secadv/20160922.txt
Thu Aug  3 01:02:35 2017 : Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304'

Looks like a vulnerability in LibreSSL is the root cause. Any fix available?

Thank you,
Regards,
Bobby Thomas

Hi All,

I have just upgraded the firewall to 17.7 and then installed the Freeradius plugin. But I am unable to bring up the Freeradius service. I tried it through gui as well as through cli, it doesn't start. Any help is highly appreciated.

Thank you,
Regards,
Bobby Thomas

I agree to SecAficionado, is it possible to add a snort ruleset to the existing rule set?

Thank you,
Regards,
Bobby Thomas

Ok. My public ip got changed again and I managed to capture some screenshots. The first one shows the OpenDNS dashboard before I TEST the connectivity in the OpenDNS plugin. The Last one shows the dashboard after the TEST. Any solution for this behaviour?
NB: I wasn't able to attach the OpenDNS plugin TEST result due to file size restrictions.

Thank you,
Regards,
Bobby Thomas

Running a firewall as a VM somewhat defeats the purpose of the firewall in my opinion.
I'm planning to use dedicated hardware for it :-)
[/quote]

That's really a debatable topic, I don't see any issues with running firewalls in VM, infact most of the enterprise firewall vendors have VM deployment packages. It actually depends on how you configure the VM and the host.

There seems to be some problem with the plugin, whenever my IP changes I have do a TEST to update the new IP in OpenDNS dashboard. Before I press the TEST button OpenDNS dashboard shows the old IP address. I have manually assign the new IP or do a TEST to update the ip. Is there anything I can check on the logs? I can take some screenshots next time this happens.

Thank you,
Regards,
Bobby Thomas

Hi,

I am having an issue with the OpenDNS plugin, it's doesn't update the Dynamic IP on OpenDNS automatically, I need do manually do a test/update to update the new IP. Any fix for this?

Thank you,
Regards,
Bobby Thomas

Why dont you have a look at intel NUCs,they have aes-ni and other features. I am using an Intel NUC5PPYH (quad core Pentium based) and running OPNsense in a Proxmox VM along with 2 other VMs (a NAS and Zabbix server), the power utilisation is very less (less than 10watts/hour) and performance is quite good. It doesn't have multiple NICs so you will need to rely on USB NICs, as the NUC comes with USB3 you can easily plugin a USB3 gigabit NIC. I also have an Archer C7 running Lede(Openwrt) which can do the switching part. Let me know if you need more details about the hardware.

Regards,
Bobby Thomas

Thank you Fabian for the suggestion, I was able to figure out domaiin details using the browser, but I am still having issuues with my Android banking app which shows network error. I believe it's pointing to some other domain and since I have to access it through the app it's failing. Any ideas? Do I need to perform a TCPdump or packet capture?

Thank you,
Regards,
Bobby Thomas

Hi,

I have been trying to setup transparent ssl proxy on my Opnsense VM and I was able to do that successfully, but the problem is with the exclude list. I am unable to use certain banking websites and apps as it is getting filtered. I tried adding their domain into the exclude list, but I am having difficulty in identifying the correct domains, is it possible to analyze the SSL sessions so that I can Identify the domain and add it to the exclude list. Does the packet capture feature work well with transparent ssl proxy?

Thank you,
Regards,
Bobby Thomas

Thank you Fabian, I didn't know that it will create configuration backup after changes. I thought we can only restore to a previous config if have taken a manual config backup.

Thank you,
Regards,
Bobby Thomas.

Hi All,

I think I am pissed off. I was trying change web gui certificate from the Letsencrypt ca to self signed one, but as soon I changed it I got locked out. Now I cannot access the web gui. When I try I get the following error "SEC_ERROR_INADEQUATE_CERT_TYPE" and I cannot bypass that one. I have imported the certificate to my PC and it is in the trusted ca container. Can we change the certificate back to Letsencrypt certificate through CLI? Thanks in advance.

Edit: I am on 17.1.9 version.

Regards,
Bobby Thomas.

Awesome man, I was looking to implement this. This will come handy. I will implement this once I get back my firewall box. Have you tried this method with other iCAP AV engines?

Thanks,
Bobby Thomas.

No, not yet, this was happening even after reset. I think I will need to go with 17.1 upgrade,  unfortunately My firewall box got fried. I am waiting for the replacement to arrive.